POS Malware Overview for the 2014 Holiday Shopping Season

By Dan Mitchell on December 2, 2014

Almost a year has passed since the infamous Target breach that took place during the 2013 holiday shopping season, resulting in the digital theft of an unprecedented 70 million consumer credit cards and dominating headlines in the weeks that followed.

In 2014, the trend continued with a long list of other major retailers, and thousands of smaller retailers alike, who discovered or were notified of breaches using similar strains of POS malware. Many instances of new malicious code introduced more sophisticated capabilities and methods while others shared code and functionality from their predecessors. The following analysis will focus on demonstrating how open source intelligence from Recorded Future can be used to gain insight and provide the “big picture” on this epidemic, concentrating specifically on the following angles:

Tracking POS Malware Activity

Selling stolen payment data on card sites has become a lucrative business for cyber criminals.

Botnets have become an integral part of the malicious infrastructure and share code with other well-known malicious campaigns such as Zeus and Citadel.

Some POS malware appears to target specific retail segments, like food and beverage.

There is likely a larger population of retailers who have been breached without publicly disclosing, and this activity is ongoing and will continue for the foreseeable future.

Attribution Clues

Below is a timeline of attribution clues as reported by public web data.

Click image for larger view.

Here’s the timeline overview of attribution information:

Dexter has been lurking around since circa 2012, many of the newer variants borrow code and functionality.

Dexter had a large presence in the Middle East and later made its way to the west, indicating a likelihood it may have been authored by a foreign entity.

BlackPOS was attributed to 17-year-old Russian kid who uses the handle “Ree4.”

Ree4 has allegedly sold 40 builds of BlackPOS code kits to cybercriminals who are are finding a lucrative business selling stolen data on “card shops” like Rescator, Trak2.name, Privateservices.biz and many more are yet to be uncovered.

The Decebal malware has been linked to coders in Romania.

Decebal, VSkimmer and JackPOS have allegedly been used by a criminal known as “Rome0,” likely a Romanian cyber criminal or gang of organized cyber criminals.

FrameworkPOS contained strings and hidden anti-US military messages indicating a possible sponsorship from a nation-state funded threat actor or hacktivist group with different motives.

Conclusion

Current analysis on POS malware has been a mounting challenge for information security professionals and researchers throughout the global community. Each successive breach and new malware strain seems to be closely related or at least bears resemblance to its predecessor.

A large portion of analysis has been riddled with misattribution and convolution for two reasons. First, many of the important technical details and indicators remain barricaded behind the red tape of law enforcement investigations, so actual samples of malicious code have been sparse until very recently. Secondly, the malware variants being discovered have functional symmetry and structure but are being used by a wide and diverse set of threat actors; some acting alone, others in highly organized fashion and others with clear political and possibly even militant agendas.

One thing is certain, we are dealing with an increasingly sophisticated and well orchestrated set of adversaries on multiple fronts. This also applies to the broader cyber threat landscape. One has to wonder if there’s a state-sponsored adversary at play here; intent on disrupting the US economy by dismantling consumer confidence and trust. Retailers will have to be vigilant about protecting their consumers credit card and other personal data by investing in new payment card technology and manufacturers will need to innovate systems that are less prone to exploitation.

It will take some time for the consumer to regain trust in the wake of these breaches. Some retailers have already begun to transition, or have publicly stated their plans to upgrade, to the newer and more secure EMV payment systems, also known as chip and PIN. This technology has already been widely adopted throughout Europe and while it may help mitigate some of the risk of today’s credit card theft at the terminal, it will by no means be a silver bullet.

Take Action

Understand that deciding to do all your shopping online will not make you immune to credit card theft.

Keep all of your receipts for no less than a year. Your receipts effectively become a timestamp you can use to cross reference against future retailer public breach disclosures.

Consider doing business with companies that have already publicly disclosed being breached. Sounds crazy, I know, but consider the possibility they are likely more aware of the threat landscape and are actively engaged in deploying enhanced detection capabilities and refining their mitigation strategies to avoid further public scrutiny. In the end, use your best judgement.

Consider deploying custom detection content that detects anomalies in HTTP headers along with suspicious looking POST and GET requests, attackers will often communicate in the clear while evading traditional detection.